932
edits
Changes
m
→Investigation 2: Modifying OpenLDAP Server Configuration to use TLS: - Added some warnings
<li>Install the openssl package</li>
<li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):
{{Admon/important|Warning|As you run these commands, read the output carefully. If you encounter any errors you must resolve them before continuing to the next command.}}
<source>
openssl genrsa -des3 -out ca.key 4096
<li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure the directory and the files in it are owned by the ldap account and that the directory has permissions set to 0700 and the files have 0600):
<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li>
<li>Write an ldif file to and add the following values to '''dn: cn=config ''' (again making sure to put in values from your own machine):
<source>
olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.key
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
</source>{{Admon/important|Warning|Read the output of the ldapmodify command carefully. If you encounter any errors you must resolve them before continuing to the next command.}}</li>
<li>You can use slapcat to ensure they are set correctly:
<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li>
